pfSense and SSH Gate in one box?

[pcm81]

Can anyone tell me if it's good or a bad idea to run SSH tunnel via the same nix server as the pfSene is installed on or should the gateway be a separate box? Looking for "best practices" type of suggestion. The main idea with SSH gate is to have only 1 port open to the internet and have a powerful machine serving SSH tunnels connecting remote client to network resources. Here are the layouts:

Internet --- pfSense (one port open to ssh server) --- SSH server === multiple tunnels to the network resources

Internet --- pfSense+SSH sever === multiple tunnels to the network


Thanks

 

[Red Squirrel]

Personally I like to keep firewall as a completely separate physical box. Basically it minimizes the attack surfaces. Ex: if the SSH server gets compromized then they can start also changing rules in the firewall.

Either way you should be running fail2ban or other form of brute force prevention on SSH anyway. So SSH with fail2ban on pfsense would probably be fine, it's just that I prefer keeping it separate.

 

[pcm81]

Personally I like to keep firewall as a completely separate physical box. Basically it minimizes the attack surfaces. Ex: if the SSH server gets compromized then they can start also changing rules in the firewall.

Either way you should be running fail2ban or other form of brute force prevention on SSH anyway. So SSH with fail2ban on pfsense would probably be fine, it's just that I prefer keeping it separate.

Thanks. That is what I was thinking too. Two separate boxes would probably suit my network infrastructure better any-ways. Do you think failtoban is a good tool? It makes perfect sense if the SSH is password protected, but what about 2048-bit RSA authentication with password disabled?

 

[sdifox]

Or just vm both

 

[pcm81]

Or just vm both

NNNNNOOOOOOOOO000000000ooooooooo

If the ssh gate is VM, that means the same port is open on it's parent machine, so what's the point of VM if the parent is open to attacks too. If firewall is running in VM that means there is the parent OS essentially running parallel to VM over those two same Ethernet ports, hence giving a second, parallel AND POSSIBLY LESS SECURE route for traffic...

 

[sdifox]

NNNNNOOOOOOOOO000000000ooooooooo

If the ssh gate is VM, that means the same port is open on it's parent machine, so what's the point of VM if the parent is open to attacks too. If firewall is running in VM that means there is the parent OS essentially running parallel to VM over those two same Ethernet ports, hence giving a second, parallel AND POSSIBLY LESS SECURE route for traffic...

Ports can be dedicated to vms. Doesnt have to be open to host.

 

[Red Squirrel]

I would not VM a firewall, I know lot of people do it, but just seems dirty to me. You want the network physically split by hardware. I don't like the idea of an internal server having any port that is directly connected to the internet. A misconfiguration or glitch could expose the whole server or other internal VM instead of just the VM you want.

Same with people who VM storage, I really don't see the point of that, you still need physical storage to put the VMed storage on...

 

[PliotronX]

I would not VM a firewall, I know lot of people do it, but just seems dirty to me. You want the network physically split by hardware. I don't like the idea of an internal server having any port that is directly connected to the internet. A misconfiguration or glitch could expose the whole server or other internal VM instead of just the VM you want.

Same with people who VM storage, I really don't see the point of that, you still need physical storage to put the VMed storage on...

As sdifox mentioned, you can dedicate NICs to VMs to eliminate the management OS from the equation. Looping the NIC, even to another NIC within the same host, is "splitting by hardware" while lowering the cost of requiring an overpriced appliance with sh***y support *cough*cisco*cough*.